Slashdot Mirror
Where is the Line on Email Privacy?
"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept.
Has anyone else had anything remotely similar, and if so; how did you respond?"
If the employee's contract, like mine, states that the company owns all e-mail communication then they owns it.
Kids today are tyrants. They contradict their parent, gobble their food, and tyrannize their teachers. - Socrates 400 BC
Hi,
As resident information officer for my little company, I've had both legal advice (in UK) and experience of similar situations.
First off, the paperwork you need to worry about is the stuff between you (3rd party email services provider) and your customer (the company). What the company did or didn't say to the employee isn't really your problem - although it is their problem.
Now, ideally, your contract, or your services schedule would contain something saying just what happens in this situation. If not - now's the time to add it!
I would think that if the company phoned up and said 'sorry to be thick but I've forgotten the password for account xyz can you reset it?' then you'd do that, because handling lost or forgotten passwords is what you as service provider do.
And that, basically is what has happened. Now, it _may be_ that the company actually promised the employee that it wouldn't read their old email once they'd left (a somewhat odd promise anyway). But, that's not your problem. You aren't helping the company break its promise, because you don't know about it's promise.
More importantly it's NOT YOUR PLACE to determine your customer's privacy policies. That's actually quite important because your customers are (under UK law) liable for YOUR decisions regarding privacy. In order to deal with that liability your customers need to know what you will do in a given situation, and simply turning round and saying 'sorry dude I'm not going to tell you that' isn't good enough. A privacy policy that's too strict is just as bad as one that's too loose.
That last sentence may seem odd, but consider this. Your customer is liable under the UK Data Protection Act for any personal information it holds. Now, just before Employee left the company, someone sent a copy of their CV to Employee on the off chance of getting a job. Now, that CV is sensitive personal information, and Company MUST be able to access it and/or remove it if the author of the CV so requests.
So, it's no good them saying 'sorry, we can't delete your CV from our mail server because our ISP won't let us, so I guess it'll just hang around on the hard disk for ages until some guy somewhere with a root password takes a look at it'.
No good at all, you see?
So, my advice is:
1) Don't play 'privacy hero' and decide what your customers can and can't do.
2) Get some data protection rules into your contracts asap.
3) Meanwhile act assuming that the customer is honest and decent - if they aren't it won't be your fault, but if you pre-judge them as evil spying people then it will be your fault
-----
Traditional UNIX sysadmin ethics prohibit snooping in email for any reason. Snooping files and traffic is similarly verboten, except debateably (ulimit) in the case of excessive resource usage. This was done to increase user confidence and frank discussions in electronic media.
Current capitalist thinking is whoever pays, owns. This is pushed because email has proven to be very popular, frank and valuable. A victim of it's own success.
Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.
I imagine the only reason you know about this is because you haven't given them direct access to set up and delete email accounts, or to change the passwords on them. Here is my advice:
If the email is addressed to their registered domain, then they own the email.
If the email is addressed to your registered domain, then who owns the email depends on the agreement you had with them. If you did not have a written agreement which discloses ownership of email sent to the addresses the agreement is written for then run don't walk, directly to your lawyer. At this point it becomes a you said/they said type of issue.
You could simply tell them what your policy is after the fact, and follow through with your new 'policy' but if you favor your relative they may sue you, if you favor them your relative may sue you, so at this point it's best to stop and get advice from someone who can represent you if their advice goes awry.
Lastly, send out a new terms of service to all current 'customers' explicitly stating your terms of service. Tell them that if after 30 days they are still hosting with you then that act shows they agree to the new terms of service.
In the company I work for I regularily forward email accounts to the employee who is either taking over the old position or the employee who is handling most of the added workload. The simple fact is that a lot of work-related (and contract work at that) email is always in the pipeline, and a customer is not going to take, "We fired the employee and deleted their email for privacy" as an excuse for why we didn't respond to their request in a timely manner. Our employees understand this when they come and when they go. This forwarding is only active for a month or so, and we prevent any outgoing emails from being created in that person's name from our mailserver.
-Adam
That's really what it comes down to, I think. Whoever arranged for the service to be provoided to the employee and paid for it (or managed the relationship, if the service was free), is the owner of the data.
I really don't like it either, but a couple of times I have been required to provide people's email to my boss, including a Vice-President. I had to do a little bit of soul searcing on that, but not a whole lot.
Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.
But then again, none of these people were my relatives. I hated them all.
I have misplaced my pants.
You simply wait for a court order. That's how things work. Don't hand anything over without a court order. Simple.
If they don't have a contract with you stating that their e-mails on your system are their property, then you don't have to give them anything -- unless some court feels you need to.
Phil
That's you screwed then. Don't do *anything* without your line management putting it in writing. You'd be opening yourself up to all sorts of legal nasties. In the EU, it's very thorny: despite AUPs to the contrary, people have still been charged for infringing the HRI by reading others email. Even if the AUP covers it mind: and also bear in mind any email that account's recieved from other people. They didn't sign any policy and so could argue that you've infringed their privacy.
All this is closing the door after the horse has bolted: get a formal ToS written now by a lawyer, get everyone to sign it, and tread carefully.
Clearly, though, you can obtain consent from the original addressee and then disclose.